Query Details
ISOIMG Mount
Query
name: Initial Access, ISO/IMG File Mounted description: Detects the mounting of an img file which could indicate a spearphishing attachment references: https://attack.mitre.org/techniques/T1566/001/ tags: Initial Access, T1566 search_query: (DeviceFileEvents | where FileName endswith ".iso.lnk" or FileName endswith ".img.lnk")
Explanation
This query is designed to detect potential initial access threats by identifying when an ISO or IMG file is mounted on a device. These file types are often used in spearphishing attacks. The query specifically looks for file events where the file name ends with ".iso.lnk" or ".img.lnk". If such a file is found, it could indicate that a malicious attachment has been opened.
Details
Ali Hussein
Released: January 22, 2024
Tables
DeviceFileEvents
Keywords
Devices
Operators
endswithor